An Application instance represents a Client on the Authorization server. Usually an Application is
issued to client’s developers after they log in on an Authorization Server and pass in some data
which identify the Application itself (let’s say, the application name). Django OAuth Toolkit
provides a very basic implementation of the Application model containing only the data strictly
required during all the OAuth processes but you will likely need some extra info, like application
logo, acceptance of some user agreement and so on.

Then you need to tell Django OAuth Toolkit which model you want to use to represent applications.
Write something like this in your settings module:

OAUTH2_PROVIDER_APPLICATION_MODEL='your_app_name.MyApplication'

Be aware that, when you intend to swap the application model, you should create and run the
migration defining the swapped application model prior to setting OAUTH2_PROVIDER_APPLICATION_MODEL.
You’ll run into models.E022 in Core system checks if you don’t get the order right.

That’s all, now Django OAuth Toolkit will use your model wherever an Application instance is needed.

The default application model supports a single OAuth grant (e.g. authorization code, client credentials). If you need
applications to support multiple grants, override the allows_grant_type method. For example, if you want applications
to support the authorization code and client credentials grants, you might do the following:

fromoauth2_provider.modelsimportAbstractApplicationclassMyApplication(AbstractApplication):defallows_grant_type(self,*grant_types):# Assume, for this example, that self.authorization_grant_type is set to self.GRANT_AUTHORIZATION_CODEreturnbool(set([self.authorization_grant_type,self.GRANT_CLIENT_CREDENTIALS])&grant_types)

Depending on the OAuth2 flow in use and the access token policy, users might be prompted for the
same authorization multiple times: sometimes this is acceptable or even desirable but other times it isn’t.
To control DOT behaviour you can use the approval_prompt parameter when hitting the authorization endpoint.
Possible values are:

force - users are always prompted for authorization.

auto - users are prompted only the first time, subsequent authorizations for the same application
and scopes will be automatically accepted.

You might want to completely bypass the authorization form, for instance if your application is an
in-house product or if you already trust the application owner by other means. To this end, you have to
set skip_authorization=True on the Application model, either programmaticaly or within the
Django admin. Users will not be prompted for authorization, even on the first use of the application.